It’s mostly that we trust all code running on a branch but not necessarily code running from PRs from forks, same as how Jenkins treats the Jenkinsfile today. After thinking about this for a bit I don’t think it’s a huge deal since nodes are mostly ephemeral, we just need to ensure we don’t pass secrets via environment variables to untrusted code. Also we probably wouldn’t want to rebuild docker images per commit just because the images themselves are quite large (25+ GB in some cases), but we can pretty easily detect changes to the docker/* directory and rebuild in that case.